lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> IIRC, the original attack seemed to require a huge volume of
> transactions to achieve its effect, with the result that (1) your web
> server/infrastructure may already be hosed by such an attack,
> regardless of your hashing scheme, and (2) it's easy to defend against
> the hash attack simply by having reasonable limits at the application
> level.
> 
> If those things are true, then a solution at the language level seems
> wrong if it results in _any_ penalty for normal applications -- and
> this is especially true for Lua, where the vast majority of
> applications have nothing to do with the web or "untrusted data".

That is a reasonable argument. In this working version, the only
clear penalty is the use of all bytes for hashing long strings.
Mabye that could be configurable (with the default being the old
method).

-- Roberto